GSE Practical Exam Preparation

flaminiusflaminius Member Posts: 6 ■□□□□□□□□□

I have passed the multiple choice part of the GSE a few weeks ago and I am trying to put together a plan to get ready for the lab in October this year. The problem I have at the moment is that I am not sure how to best go about it. I have tried the GIAC google group but it seems to have gone very quiet over the past 4 weeks and time is flying....

I would be grateful for any advice/comments/insight in regards to the queries I have written below. Also if any of the queries below are "frowned upon" then please let me know as my goal is to learn as much as possible without breaking any rules. My original plan was to get to be as good as possible at network traffic analysis and forensics by simulating different attack scenarios (Backtrack 5 R3 vs Windows/Linux) and supplement that with challenges found on the web. However, after reading the GSE page I am no longer sure that is good way to do it and hence the queries below:

Query 1 - I have so far been using VMWare Fusion on a MacbookPro to simulate different setups - typically 2 VMs (one Backtrack, the other some version of Windows/Linux) - and I have used tools such as NMAP, Scapy, Metasploit and Nessus to learn what information one can get from the different versions of Windows/Linux and to see if I can get some form of access to them. Is such a setup sufficient or is it better to have an actual private network setup with more than 2 machines? Also, is there any advantage to changing from Backtrack to Kali?

Query 2 - I have had a go at Netwars Continuous and while I learned a lot, I am wondering if it is a good way to prepare for the GSE hands-on lab. Apart from the cost (which is significant for me), I am not sure if it is comparable with the GSE hands-on exercises. Is it a good idea to try to do keep doing the Netwars challenges or is it better to try to get something like the advanced penetration testing course exam done by next October?

Query 3 - I also found on the web, sites that have cyber security challenges: forensicscontest.com, honeynet challenges, hack.org, halls-of-valhalla.org and root-me.org (seriously that is the name). I have already worked on some of the challenges from honeynet and root-me.org and while they are good practice in general, are these challenges any use as preparation for the GSE hands-on lab?

Query 4 - In all my exams I have used indexes which I have carefully compiled after the reading the books twice (at least). However, when I did the GSE multiple choice, I used the index the least when compared with my previous exams. Is it a good idea to have an index for the hands-on lab (especially for the tools) or am I better off just with the **** sheets from SANS?

Query 5 - All the web sites I have checked have challenges from the point of view of an attacker (red team). However, my understanding is that the GSE lab will also have exercises from the blue team point of view - does anyone have any advice on how to best prepare for such exercises?

Query 6 - I am currently working on my GPEN and I may have the chance to do one more cert (apart from GPEN) before October (assuming I find that money for it that is). Is there a cert that will help with the GSE practical exam that I should go for and that I have not done before? I have have also done the Windows sec course (sec505), the forensics course (50icon_cool.gif and virtualization one (sec579).

Sorry for the long post and I would appreciate any advice on my queries above.

Kind Regards,



  • Options
    LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Hi Flamm,

    Welcome to the forum and I don't think much people can answer you. There isn't anyone here with GSE. I hope you can bring back one and share with us!

    However, I have been researching about this GIAC GSE stuff, reading the official presentation and gathering various tips.

    At a glance at your query, while I do not specifically response to them, I hope you can find most of the answer from what I am going to share below.

    1) GSE is a 48 hour lab exam. The first 24 hour is going to be an Incident Handling practical exam, while the next 24 hours, I presume would consist of the lessons learned from Incident Handling, then moving on to testing your intrusion analysis skill and penetration testing. I do not know how does PGP come into the picture on this lab exam, possibly its an add on part of the exam.

    2) For the Intrusion Analysis Practical, Analysis Section. Download as many packet capture as you can from the internet and annalyse them. You should have no problem finding them via google, most IT Security Professionals would post packet capture similar to the real enviroment as much as possible.

    3) For the Intrusion Analysis Practical, Command Line Section. Run one TCPDump and Wireshark filter everytime you launch attacks in your test enviroment. Aim to keep your command line filter to capture as detailed as close in how see from those packet capture you had analyse.

    4) For the Incident Handling Practical. Download as many infected VM as possible and try to rebuild them. Once again, this is possible and easy to find via google. The only problem is to rebuild and infected machine from a real physical machine. If lucky, you can cover this in your work and request to attach to an incident handling team. If not, get a really cheap laptop, infect and rebuild it until you are satisfy.

    5) For the penetration testing pratical, OSCP is the best way to cover everything. OSCP is a 24 hour penetration testing exam that can train your body to get use to the 48 hour lab and cover everything on aspect on penetration testing as close as possible to the real exam. However, the main difference is that OSCP do not allows Nessus, while GSE allows the use of Nessus. A lot of review I read from OSCP takers and books I read from OCSE, GSE certified professional made a custom script using python for finding vulnerabilities in OSCP. Otherwise the rest of the exam between OSCP and GSE would be largely similar, however, the servers required you to attack and root may be smaller scope for GSE.

    6) One note that is given on regards to GSE is that, examiner find that candidates who had written gold papers perform better on GSE exams. Although I do not have any white papers, I had once research how white papers are written and agree with the authors. Using an One example of a white paper case study of how the white paper is written. (Link: http://www.sans.org/reading-room/whitepapers/testing/post-exploitation-metasploit-pivot-port-33909) This white paper is a simple paper that shows how to pivot using metasploit, the command uses is route print. This command is actually covered in the book metaploit, the penetration tester guide. Reason why I uses this to explain about white paper. If you look at the reference, a good white paper usually had about 5 reference. The first part of the white paper regarding route print is an easy command taken from the book mentioned, second part however, using portfwd command is learned from another reference online. A white paper is something that the material does not cover, and is learned from researching from multiple books, reference and experience. (you can also say book + book, or book + experience, with the word 'book' interchagable for multiple references can assures you a really good white paper topic)

    Thus, the true reason why someone who can write a good white paper perform better than those that took the 5 exam route is because. The person had read up additional books and reference on their free time, and execute techniques that is not taught in the GIAC course book, possible be able to bypass hurdles and scenarios more easily, and thus perform more impressive a candidate who go via the 5 exam route. One example would be a candidate who write a quick python script that allows him to gain a root access to the system.

    7) What book could possibly help right now?

    Some books to work on this in this short months in addition to above would be
    1) Pratical Packet Analysis by Chris Sanders
    2) Network Forensics (the copy written by two SANS instructor)
    3) Incident Response and Computer Forensic (Authors from Madiant)
    4) Advanced Penetration Testing, The Ultimate Guide (not really ultimate, but everything you need to perform a reasonable pentest is in there)
    5) The hacker playbook (I am still in the midst of grasping the content, but looks promising to be a good hacking book for some really nice pentest trick you can execute)

    EDIT: Good luck to you!
  • Options
    flaminiusflaminius Member Posts: 6 ■□□□□□□□□□
    Hi Teo,

    I am most grateful for the insight on the preparation for the practical exam. I already have all the books you mentioned (and at least 10 more than I use regularly - the one on iptables is very useful in general) and I am bit apprehensive as to how many more I should study before the exam. To me the more I read, the more I want to check even more references so I am thinking that the end of July will be the cut off date. If I managed to read it in detail by then good, otherwise one can spend years just reading up more material.
    I will also try the OSCP (I am looking at pen test work anyway so hopefully that will help with my part time work) before September.

    Thanks again for the detailed info and if anyone is interested later on I can post what I have learned from the experience.

  • Options
    GarudaMinGarudaMin Member Posts: 204
    We know that OCSP is more well-known than ECPPT from eLearn Security. But based on the contents/syllabus, I think ECPPT is better (covers more topic). My OCSP experience is old (6+ years ago) and I have not done eLearn courses so I can't tell you exactly. But you may want to check out ECPPT too. Just my 2 cents. I am sure people who have done ECPPT can tell you more.
Sign In or Register to comment.